Active IQ Unified Manager Discussions

Getting a quick "connection refused"

MONSOONCAT
5,048 Views

A TCP connection towards an arbitrary high port number (>=1024) on the Netapp seems to return "connection refused" instantly.

By contrast, a connection towards a low port number waits for several minutes, then something times out.  I imagine this is related to assisting security etc.

As part of our transition from our previous non-NetApp fileserver, it would be very useful if we could persuade the NetApp to return a quick "connection refused" on a particular low port number.  But we cannot see a way to adjust this behaviour (either for a particular low port or for all low ports).  Is this possible?  If so, could you point us to the relevant documentation, please?

3 REPLIES 3

aborzenkov
5,048 Views

This is the first time ever I hear about such behavior. Would be interesting to see

-          netstat -an from filer

-          network trace for connection to port that is definitely not in LISTEN state in above output; you could generate it on NetApp using pktt tool.

Yes, I confirm it (tested on 8.0.2P4). Interesting. There is undocumented option ip.tcp.limit_rsts which sounds like it could be related; but I suggest you open case with NetApp and update this thread if you get this resolved.

Message was edited by: aborzenkov

MONSOONCAT
5,048 Views

Thanks.  We, too,  checked it on our NetApp and also on a simulator before I posted my request.

In our context this request is both "low priority" and "now", affecting an external application.  If such a control mechanism were available now within the NetApp, this would be the cleanest overall way to handle it.  But if it is not available, then we have sketched out a 'not quite as clean' work-around  at the application end.  (So although the priority of the issue in our overall service-provision is rising as we migrate to the NetApp, our potential work-around will drop the priority of needing to address it within the NetApp.)

So although it is affecting our application, I probably won't raise it with NetApp.  (Anyway, the NetApp here is run by a different group; I'll suggest to them that they consider raising the issue, but I suspect the application-level workaround means we won't.)

Meanwhile, if anyone happens to know an option or mechanism in the NetApp that would allow a low port number to return "connection refused", then we'd be pleased to hear about it.

aborzenkov
5,048 Views

After some research - in 8.x ports below 1024 are blocked by explicit firewall rule in low level FreeBSD. These rules are part of read-only root image, so there is no way to change them. Looks like deliberate decision; so the only way to change it (at least, to make it configurable) is to raise issue with NetApp.

Public